The EU's export control policy and dual use: how to resolve the legislative vacuum

In recent years it has become clear that the European Union is an important hub for the worldwide development and proliferation of harmful and intrusive software, systems and technologies. European companies have been able to export infiltration and spying software to buyers across the globe almost unchecked. It’s high time the EU strengthened its export control policy on dual use to avoid indirectly undermining privacy, free speech and even democracy in some countries.

These technologies have been used to target human rights activists, critics of regimes and NGOs and journalists in countries like Bahrain, Ethiopia, Egypt and many of other places with dubious human rights track records. In addition, these kinds of technologies can and have been used against European citizens. They pose a real danger to our security and the security of the critical digital infrastructures we rely on in our everyday lives.

Resistance to action

NGOs and politicians have tried to push this problem higher on the agenda of European member states and the Commission, who have been dragging their feet. The revision of European export control policy, planned for 2015, is an important moment to address this problem. It is unacceptable that companies operate in a legislative vacuum while the impact of their products is so severe.

Dangerous technologies such as spying, infiltration and surveillance software, fall under dual-use export policy, because these technologies also have legitimate law-enforcement uses, although those are also sometimes problematic. Together with the European Council, the European Parliament will be responsible for shaping the new dual-use export legislation. I will be responsible for this from the side of the liberal group in the European Parliament. In this process, I will push on three main issues.

Smart actions needed

The first crucial is that we must create a more coherent and unified system for export control. At the moment, if a company is refused an export control licence in one member state, it can still freely export from another. So-called 'catch-all' controls, which are ad-hoc measures that can be used to quickly control exports of specific products or destinations, do not exist at the EU level. These measures exist only at member state level, which again makes them easy to circumvent. The best way to fight the fragmentation would be to raise the implementation of export control policy to the European level. That would also lead to a fairer and more level playing field. At the same time, we need flexibility to ensure licensing requirements and controls can be adjusted to changes in third countries.

It does not seem likely that member states would agree to such a revision of the legislation. The next best thing would be look for other ways of increasing coordination of export control. Increased information exchange between member states on which licences they grant or refuse is key. But the transparency of the whole system should also be improved, meaninggovernments and companies alike could be held accountable for the products that are sold.

Secondly, we need to increase the accessibility of the export control process for stakeholders and experts. Companies, academics and NGOs have a lot of knowledge about the impact of certain products. This is shown for example by the extensive research done by Privacy International and Citizen Lab on the export and proliferation of dangerous technologies. This knowledge must be tapped to make sure that we can adapt policy to changes in technology and make sure we control the right products.

Thirdly, while it is essential that dangerous technologies are subject to export controls, it is also crucial that we do not overregulate, especially when it comes to the internet and digital products. To prevent this, the criteria of what is controlled and what is not must be tailored very specifically. If they are not, we risk a situation in which products which could be used for research or protection against cyber-attacks would be controlled. We need clear and smart measures and precision.

The commitment gap

In April, the European Commission came forward with a document which outlines its intentions for a new legislative proposal on export control policy. Many of the elements I push for were included in this document. Member states have finally acknowledged the importance of controlling the export of dangerous technologies by updating the export control lists through the Wassenaar Arrangement. However, we now need a real commitment to move forward to properly address the fact that legislation is seriously lagging behind technological developments. It causes huge problems for the protection of human rights and our own security. The European Parliament has already endorsed modernisation in the past, so the ball is firmly in the court of European member states' governments. What’s sorely needed is the will to follow through.

This article is part of Friends of Europe’s upcoming discussion paper on the future of dual-use technologies in Europe.The full discussion paper will be available in early September. Read the other articles here.